Thank you Michael for the analysis. This bug has affected me too, and I think is particularly likely to affect security-conscious users since removing extra kernel modules is a basic hardening step.
Here are two other bug reports on this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760513 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769356 and one blog post from someone who encountered this on a Wheezy -> Jessie upgrade due to the 'ipmitool' package (rather than cups). This is a security issue and really needs to be fixed -- how do we get this out to users?